Xikug's protecter v0.3
[Objective]: xikug's protecter v0.3 main program
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[任务]: Analyze the shell
[Operation Platform]: WinXP SP2
[Author]: loveboom [dfcg] [fcg] [US]
[Related Links]: Go to the Internet Search
[Brief Description]: This shell is seen in a few times, but there is no time to go to "fine taste" before, and today is determined to see a clear.
[Detailed Procedure]:
Setting: Remove the INT3 exception all tick.
Write a little script first before loading. The script is as follows:
Repl EIP, # e807000000 ???? 83c013eb0b58eb02 ???? 83C002EB01 ?? 50C3 ?? #, # 90909090909090909090909090909090909090909090909090909090909090,100
Repl EIP, # e803000000 ?????? 58eb01 ?? 83c00750c3 ???? #, # 90909090909090909090909090909090,909090909090 #,1,100
REL EIP, # e808000000 ???? 83c00f50c3 ?? 5883C002FFE0 ?????? #, # 909090909090909090909090909090909090909090 #,11000
repl eip, # E8160000008B5C240C8BA3C4000000648F050000000083C404EB1464FF35000000006489250000000033C999F7F1 ?? #, # 9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 #, 1000
repl eip, # 33F6E8100000008B642408648F050000000058EB13 ???? 64FF350000000064892500000000AD ???? #, # 90909090909090909090909090909090909090909090909090909090909090909090909090909090 #, 1000
repl eip, # B904000000E81F000000 ???? E816000000 ?? EBF8 ???? 58EB09 ???? E8F2FFFFFF ???? 4975F1EB05EBF9EBF0 ?? #, # 9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 #, 1000
REPL EIP, # eb01 ?? 31f0eb0c33c8eb03eb09 ?? 59740575f851ebf1 #, # 90909090909090909090909090909090909090909090909090,100
RET
Load the target program with OD after writing.
Remove the garbage code and then access the breakpoint in the memory of .xikug, F9 runs. Come here:
004A3121 E8 00000000 Call 004A3126; Here the shell code begins, all of which are garbage code
004A3126 5D POP EBP
004A3127 81ED 26514000 SUB EBP, 00405126; Calculating the value of EBP
004A312D 89AD F6BD4000 MOV DWORD PTR SS: [EBP 40BDF6], EBP;
......
004A3149 8D85 60524000 Lea Eax, DWORD PTR SS: [EBP 405260]; start address 4A3260004A314F 8D8D 04BA4000 LEA ECX, DWORD PTR SS: [EBP 40BA04]; INT3 JMP OEP Code end address 4A9A04
004A3155 8D95 81974000 Lea EDX, DWORD PTR SS: [EBP 409781]; INT3 abnormal start address 4A7781
004A315B EB 0B JMP Short 004a3168
004A315D 8030 58 XOR BYTE PTR DS: [EAX], 58; Very simple decryption method OPCode XOR 58 ("X")
004A3160 3BC2 CMP EAX, EDX; Judging whether it is the code behind IN3, if it is decrypted, then OPCode XOR 52 encryption,
004A3162 72 03 JB Short 004A3167; The shell is behind himself as a debugger, then restore the code, and the code will not be encrypted again.
004A3164 8030 52 xor byte PTR DS: [EAX], 52
004A3167 40 Inc EAX
004A3168 3BC1 CMP EAX, ECX; judgment has no decryption, no jump
004A316A ^ 72 F1 JB Short 004A315D
You can copy the code of 4A7781 to 4A9A04 first:
33 C9 8B 9D FE C1 40 00 EB 15 FF 34 8B FF B5 F6 BD 40 00 FF B5 DE BD 40 00 E8 DE 78 FF FF 41 3B
8D FA C1 40 00 72 E8 E8 08 00 00 00 0F 01 83 C0 0F 50 C3 FF 58 83 C0 02 FF E0 0F 01 0C B9 04 00
......
E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 C7 83 83 C0 13 EB 0B 58 EB 02
CD 20 83 C0 02 EB 01 E9 50 C3 E8 E8 08 00 00 0F 01 83 C0 0F 50 C3 FF 58 83 C0 02 FF E0 0F 01
0C EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00
00 EB FA E8 16 00 00 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF F1 EB 05 EB F9
EB F0 D6 C3
......
004A3260 8B4424 18 MOV EAX, DWORD PTR SS: [ESP 18]; Preparation to Kernel32.dll HMODule
004a3264 25 0000fffff and eax, fff0000; removal of the bottom
004A3269 33D2 XOR EDX, EDX004A326B 48 DEC EAX
004A326C 66: 8B50 3C MOV DX, Word PTR DS: [EAX 3C]
004A3270 66: F7C2 00F0 TEST DX, 0F000
004A3275 ^ 75 F4 JNZ Short 004A326B
004A3277 3B4402 34 CMP EAX, DWORD PTR DS: [EDX EAX 34]
004A327B ^ 75 EE JNZ SHORT 004A326B; Remove Kernel32.dll's HMODULE
004A327D 8985 CFBD4000 MOV DWORD PTR SS: [EBP 40BDCF], EAX; Removed HModule into [4A9DCF]
......
004A3299 8D85 AFBA4000 LEA EAX, DWORD PTR SS: [EBP 40BAAF]; ready to get the address of getModuleHandlea
004A329F 50 push eax; / procnameorordinal = "getModuleHandlea"
004A32CC FFB5 CFBD4000 PUSH DWORD PTR SS: [EBP 40BDCF]; | hmodule = 7c800000 (kernel32)
004A32EC E8 0FBDFFFF CALL 0049F000; / GetProcAddress
......
Call 0049f000 is actually equivalent to getProcAddress functions
Go in and see:
0049f000 55 Push EBP
0049f001 8bec MOV EBP, ESP
0049F003 83C4 E8 Add ESP, -18
0049f006 53 Push EBX
0049f007 51 PUSH ECX
0049f008 56 Push ESI
0049f009 57 Push EDI
0049F00A 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]; HMODule
0049f00D 8B40 3C MOV EAX, DWORD PTR DS: [EAX 3C]
0049f010 0345 08 Add Eax, DWORD PTR SS: [EBP 8]; Positioning PE header
0049F013 8945 FC MOV DWORD PTR SS: [EBP-4], EAX
0049F016 8B5D 08 MOV EBX, DWORD PTR SS: [EBP 8]
0049f019 0358 78 Add EBX, DWORD PTR DS: [EAX 78]; Positioning Output
0049F01C 895D F8 MOV DWORD PTR SS: [EBP-8], EBX
0049F01F 8BC3 MOV EAX, EBX0049F021 8B58 1C MOV EBX, DWORD PTR DS: [EAX 1C]
0049f024 035d 08 Add EBX, DWORD PTR SS: [EBP 8]; Locate Addressoffunctions
0049F027 895D F4 MOV DWORD PTR SS: [EBP-C], EBX
0049F02A 8B58 18 MOV EBX, DWORD PTR DS: [EAX 18]; Position NumberOfnames
0049F02D 895D F0 MOV DWORD PTR SS: [EBP-10], EBX
0049F030 8B58 20 MOV EBX, DWORD PTR DS: [EAX 20]
0049f033 035d 08 Add EBX, DWORD PTR SS: [EBP 8]; Locate AddressOfnames
0049F036 895D E8 MOV DWORD PTR SS: [EBP-18], EBX
0049F039 8B58 24 MOV EBX, DWORD PTR DS: [EAX 24]
0049F03C 035D 08 Add EBX, DWORD PTR SS: [EBP 8]; AddressOfNameRDINALS
0049F03F 895D EC MOV DWORD PTR SS: [EBP-14], EBX
0049f042 33c9 xor ECX, ECX
0049F044 33DB XOR EBX, EBX
0049F046 8B75 0C MOV ESI, DWORD PTR SS: [EBP C]; API name to take
0049F049 8B7D E8 MOV EDI, DWORD PTR SS: [EBP-18]
0049F04C 8B3C8F MOV EDI, DWORD PTR DS: [EDI ECX * 4]
0049f04f 037d 08 Add EDI, DWORD PTR SS: [EBP 8]
0049f052 8A043B MOV Al, Byte PTR DS: [EBX EDI]
0049f055 3A0433 CMP Al, Byte PTR DS: [EBX ESI]
0049f058 75 0a jnz short 0049f064
0049F05A 43 Inc EBX
0049F05B B0 00 MOV Al, 0
0049F05D 3A0433 CMP Al, Byte PTR DS: [EBX ESI]
0049f060 ^ 75 f0 jnz short 0049f052
0049f062 74 08 JE SHORT 0049F06C
0049f064 33dB xor EBX, EBX
0049f066 41 Inc ECX
0049F067 3B4D F0 CMP ECX, DWORD PTR SS: [EBP-10]
0049F06A ^ 75 DD JNZ SHORT 0049F0490049F06C 8B7D F4 MOV EDI, DWORD PTR SS: [EBP-C]; Related API by loop
0049F06F 8B048F MOV EAX, DWORD PTR DS: [EDI ECX * 4]
0049f072 0345 08 Add Eax, DWORD PTR SS: [EBP 8]; Removing API to VA
0049f075 5F POP EDI
0049f076 5e POP ESI
0049f077 59 POP ECX
0049F078 5B POP EBX
0049f079 c9 Leave
0049F07A C2 0800 RETN 8
The following is the xikug's MygetProcadDress source code:
'---------------------------------- xikug's Getapiaddress Proc ----------- ---------------
Getapiaddress Proc K32Base: DWORD, APINAME: DWORD
Local BaseImagentheaders: DWORD; ImagentHeader base site
Local BaseExportTable: DWORD; Export Subterite Address
;;;;;;;;;;; image_export_directory, data saved in the variable below ;;;;;;;;;;;;;;;
Local Addressoffunctions: DWORD
Local NumberOfNames: DWORD
Local AddressOfnameRinals: DWORD
Local AddressOfnames: DWORD
Push EBX
Push ECX
PUSH ESI
Push EDI
MOV Eax, K32Base
MOV EAX, [EAX 3CH]; kernel32.dll image_nt_headers
Add Eax, K32Base
Mov BaseImagentheaders, EAX
Assume EAX: Ptr Image_NT_Headers
MOV EBX, K32Base
Add ebx, [eax] .optionalheader.dataDirectory.virtualAddress
Assume EAX: Nothing
Mov BaseExportTable, EBX
MOV EAX, EBX
Assume EAX: PTR image_export_directory
Mov EBX, [EAX] .addressoffunctions
Add Ebx, K32Base
Mov Addressoffunctions, EBXMOV EBX, [EAX] .NumberOfnames
Mov NumberOfNames, EBX
Mov EBX, [EAX] .addressofnames
Add Ebx, K32Base
Mov AddressOfnames, EBX
Mov EBX, [EAX] .addressofnameordinals
Add Ebx, K32Base
Mov AddressOfnameRinals, EBX
Assume EAX: Nothing
XOR ECX, ECX
XOR EBX, EBX
Mov ESI, APINAME
GetApiname:
Mov Edi, AddressOfnames
Mov EDI, [EDI ECX * 4]
Add Edi, K32Base
CMPAPI:
MOV Al, [EDI EBX]
CMP AL, [ESI EBX]
JNE getnext
Inc EBX
MOV Al, 0
CMP AL, [ESI EBX]
JNE CMPAPI
JE Getok
GetNext:
XOR EBX, EBX
Inc ECX
CMP ECX, NumberOfnames
JNE GetApiname
Getok:
;;;;;;;; INDEX of the API address ;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Xor Edx, EDX
; MOV EBX, AddressOfnameRinals
; MOV DX, Word PTR [EBX ECX * 4]
ECX's index in Addressoffunctions
Find the function address in Addressoffunctions
MOV EDI, Addressoffunctions
MOV EAX, [EDI ECX * 4]
Add Eax, K32Base
Balance stack
POP EDI
POP ESI
POP ECX
POP EBX
RET
Getapiaddress Endp
'----------------------------------end-------------- ----------------
Shell takes the address of the following API:
004A9AB4 64 75 6C 65 48 61 6e 64 6C 65 41 00 29 B5 80 7C DuleHandlea.) 祤 |
004A9AC4 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 Loadlibrarya .... 004A9AD4 00 47 65 74 74 65 73 41 64 64 72 65 73 73 00 .GETPROCADDRESS.
004A9AE4 00 00 00 47 6C 6F 62 61 6C 41 6C 6C 6F 63 00 .... GlobalAlloc.
004A9AF4 00 00 00 47 6C 6F 62 61 6C 46 72 65 65 00 00 .... GlobalFree ..
004A9B04 00 00 00 55 6E 68 61 6e 64 6C 65 64 45 78 63 65 ... UnhandledExce
004a9b14 70 74 69 6f 6e 46 69 6C 74 65 72 00 00 00 00 00 00 00 00Filter .....
004A9B24 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4e 61 6D GetModuleFileNam
004a9b34 65 41 00 00 00 00 45 78 69 74 50 72 6F 63 65 EA ..... EXITPROCE
004a9b44 73 73 00 00 00 00 43 72 65 61 74 65 50 72 6F ss ..... CreatePro
004A9B54 63 65 73 73 00 00 00 00 57 61 69 74 46 6F 72 CESS ..... Waitfor
004A9B64 44 65 62 75 67 45 76 65 6e 74 00 00 00 00 DEBUGEVENT ..... C
004a9b74 6f 6e 74 69 6e 75 65 44 65 62 75 67 45 76 65 6e ONTINUEDEBUGEVEN
004a9b84 74 00 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 T ..... getcommand
004a9b94 4c 69 6e 65 00 00 00 00 6c 73 74 72 6C 65 6e line ..... lstrlen
004A9BA4 00 00 00 00 6c 73 74 72 63 70 79 00 00 00 ..... LSTRCPY ....
004A9BB4 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 .MessageBoxa ....
004A9BC4 00 52 74 6C 5A 65 72 6F 4D 65 6D 6F 72 79 00 00 .rtlzeromemory ..
004A9BD4 00 00 00 00 00 00 72 65 61 74 65 54 6F 6F 6C 68 65 6C ... CreateToolhel
004a9be4 70 33 32 53 6e 61 70 73 68 6F 74 00 00 00 00 p32snapshot .....
004A9BF4 50 72 6F 63 65 73 73 33 32 46 69 72 73 74 00 00 00 Process32First ..
004a9c04 00 00 50 72 6F 63 65 73 73 33 32 4e 65 78 74 ... Process32Next
004a9c14 00 00 00 00 47 65 74 43 75 72 72 65 6e 74 50 ..... getCurrentp
004A9C24 72 6F 63 65 73 73 49 64 00 00 00 00 4f 70 65 Rocessid ..... OPE004A9C34 6E 50 72 6F 63 65 73 73 00 00 00 43 6C 6F NPROCESS .... CLO
004A9C44 73 65 48 61 6e 64 65 00 00 00 00 52 65 61 SEHANDLE ..... Rea
004A9C54 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 00 DPROCESSMORY..
004A9C64 00 00 00 47 65 74 54 68 72 65 61 64 43 6E 74 ... GetThreadCont
004a9c74 65 78 74 00 00 00 00 53 65 74 54 68 72 65 61 EXT ..... SETTHREA
004A9C84 64 43 6F 6e 74 65 78 74 00 00 00 00 57 72 69 DCONText ..... WRI
SCIENTIARUM NATURALIUM UNIVERSITY. SCIENCE AND TECHNOLOGY.
004a9ca4 00 00 00 46 6C 75 73 68 49 6e 73 74 72 75 63 ... flushinstruc
004a9cb4 74 69 6f 6e 43 61 63 68 65 00 00 Tioncache ..
After getting the address of the getProcAddress, you can use the getProcAddress function to get the relevant API:
......
004A3B8F FF95 E4BA4000 Call DWORD PTR SS: [EBP 40BAE4]; kernel32.GetProcAddress
004A3B95 8985 4DBC4000 MOV DWORD PTR SS: [EBP 40BC4D], EAX
......
004A3FED 6A 00 Push 0; / processid = 0
004A3FEF 6A 02 Push 2; | Flags = TH32CS_SNAPPROCESS
004A3FF1 FF95 F0BB4000 Call DWORD PTR SS: [EBP 40BBF0]; / CREATETOOLHELP32SNAPSHOT
004A3FF7 8985 FBC24000 MOV DWORD PTR SS: [EBP 40C2FB], EAX; Handle (10) Save to [4AA2FB]
004A3FFD 50 Push EAX
......
004A4018 58 POP EAX
004A4019 83F8 FF CMP EAX, -1; exits the program if CreateToolHelp32Snapshot failed
004A401C 75 01 JNZ Short 004A401F; Jump
......
004A408A 8DBD 03C34000 LEA EDI, DWORD PTR SS: [EBP 40C303]; Fill Processentry32 Structure 004A4090 C707 28010000 MOV DWORD PTR DS: [EDI], 128; Structural Size
004A4096 Push EDI; / PPROCESSENTRY = 004AA303
004A40C3 PUSH DWORD PTR SS: [EBP 40C2FB]; | hsnapshot = 00000010
004A40C9 Call DWORD PTR SS: [EBP 40BC03]; / CALL Process32First
......
004A40EB 0BC0 or EAX, EAX
004A40ED 75 0D JNZ Short 004A40FC; jump if the function is successful
004A40EF FFB5 FBC24000 PUSH DWORD PTR SS: [EBP 40C2FB]; Unsecured CloseHandle and end the program
004A40F5 FF95 4DBC4000 Call DWORD PTR SS: [EBP 40BC4D]
004A40FB C3 RETN
......
004A4167 FF95 2DBC4000 Call DWORD PTR SS: [EBP 40BC2D]; getCurrentProcessID Get the current process ID
004A416D 3947 08 CMP DWORD PTR DS: [EDI 8], EAX
004A4170 0F85 111A0000 JNZ 004A5B87; if not found the current process, jump
004A4176 8B47 18 MOV EAX, DWORD PTR DS: [EDI 18]; Get the ID of the Parent Process
004A4179 8985 3EC24000 MOV DWORD PTR SS: [EBP 40C23E], EAX; Parent Process ID Save to [4AA23E
004A417F FF77 18 PUSH DWORD PTR DS: [EDI 18]; / processid = 3E0
004A4182 6A 00 push 0; | inheritable = false
004A4184 68 FF0F1F00 PUSH 1F0FFF; | access = process_all_access
004A4189 FF95 3DBC4000 CALL DWORD PTR SS: [EBP 40BC3D]; / Call OpenProcess
004A418F 8985 FFC24000 MOV DWORD PTR SS: [EBP 40C2FF], EAX; OpenProchandle Save to [4AA2FF]
004A4195 0BC0 or EAX, EAX
004A4197 0F84 E6190000 JE 004A5B83; Jump out of 004A419D 8D85 B4114000 LEA EAX, DWORD PTR SS: [EBP 4011B4] if the process failed to open the process;
004A41A3 50 Push Eax; here is an anti-deubg
004A41A4 64: FF35 0000000> Push DWORD PTR FS: [0]
004A41AB 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP
004A41B2 55 PUSH EBP
004A41B3 6A 00 PUSH 0; / pbytesread = NULL
004A41B5 6A 40 Push 40; | Bytestoread = 40 (64.)
004A41B7 8D85 2BC44000 LEA EAX, DWORD PTR SS: [EBP 40C42B];
004A41BD 50 Push Eax; | buffer = Explorer.004AA42B
004A41BE 68 00000010 PUSH 10000000; | PBaseAddress = 10000000
004A41C3 FFB5 FFC24000 PUSH DWORD PTR SS: [EBP 40C2FF]; | hprocess = 0000001C
004A41C9 FF95 63BC4000 Call DWORD PTR SS: [EBP 40BC63]; / ReadProcessMemory
004A41CF 5D POP EBP; Unseh
004A41D0 33DB XOR EBX, EBX
004A41D2 64: 8F03 POP DWORD PTR FS: [EBX]
004A41D5 83C4 04 Add ESP, 4
004A41D8 50 Push Eax; Eax is 1 if read success
004A41D9 51 PUSH ECX
......
004A5B4E 8D47 24 Lea Eax, DWORD PTR DS: [EDI 24]; Get the process name of the program itself
004A5B51 8A0401 MOV Al, Byte PTR DS: [ECX EAX]; Remove each character session
004a5b54 0ac0 or Al, Al
004A5B56 75 02 JNZ Short 004a5b5a; if it is not acquired, jump
004A5B58 EB 13 JMP SHORT 004A5B6D004A5B5A 24 0f and Al, 0F; taken each And 0F
004A5B5C 8D9D 2EC24000 LEA EBX, DWORD PTR SS: [EBP 40C22E]
004A5B62 D7 XLAT BYTE PTR DS: [EBX Al]
004A5B63 888429 C2BC4000 MOV BYTE PTR DS: [ECX EBP 40BCC2], Al; After checking, saved to [4A9CC2]
004A5B6A 41 Inc ECX
004A5B6B ^ EB E1 JMP Short 004a5b4e; Continue to calculate the encryption value
004A5B6D 59 POP ECX
004A5B6E 58 POP EAX
004A5B6F 83F8 01 CMP EAX, 1; here judges whether reading memory is successful, unsuccessful
004A5B72 75 0B JNZ SHORT 004A5B7F
004A5B74 C685 3DC24000 0> MOV BYTE PTR SS: [EBP 40C23D], 1; success in [4AA23D] is a tag
004A5B7B / EB 1F JMP Short 004a5b9c; if the memory is successful, use CloseHandle (XX) to make the debugger abnormally
'------------------------------------- ----
004A5BB6 FFB5 FFC24000 PUSH DWORD PTR SS: [EBP 40C2FF]; / HOBJECT = 0000001C
;
Here
0,
Otherwise
004A5BE5 FF95 4DBC4000 Call DWORD PTR SS: [EBP 40BC4D]; / CloseHandle
'------------------------------------- -------
004A5B7D / EB 08 JMP Short 004a5b87
004A5B7F | EB 1B JMP SHORT 004A5B9C
004A5B81 | EB 04 JMP Short 004a5b87
004A5B83 | EB 17 JMP SHORT 004A5B9C
004A5B85 | EB 00 JMP Short 004a5b87
004a5b87 / 57 push edi; / pprocessentry = Explorer.004AA303
004A5B88 FFB5 FBC24000 PUSH DWORD PTR SS: [EBP 40C2FB]; | hsnapshot = 00000010
004A5B8E FF95 15BC4000 Call DWORD PTR SS: [EBP 40BC15]; / Call Process32Next004A5B94 0BC0 or Eax, EAX
004A5B96 ^ 0F85 CBE5FFFF jnz 004a4167; if there is no enumeration process, jump back to continue
......
The first calculation encryption method is to remove each bit of the process name, and then put the value after the tethered character and 0f is
& adj $ .8 = CCD [[[[VTQ in the VTQ.
The value after the first calculation is: 8C & V.D8DQ8C8
......
004A5BEB 57 Push EDI; / PPROCESSENTRY = Explorer.004AA303
004A5C18 FFB5 FBC24000 PUSH DWORD PTR SS: [EBP 40C2FB]; | hsnapshot = 00000010
004A5C1E FF95 03BC4000 Call DWORD PTR SS: [EBP 40BC03]; / Process32First
......
004A5C40 0BC0 or EAX, EAX
004A5C42 75 0D JNz Short 004a5c51; jump if the function is successful
004A5C44 FFB5 FBC24000 PUSH DWORD PTR SS: [EBP 40C2FB]; otherwise close the object and exit the program
004A5C4A FF95 4DBC4000 Call DWORD PTR SS: [EBP 40BC4D]
004A5C50 C3 RETN
004A5C51 8B85 3EC24000 MOV EAX, DWORD PTR SS: [EBP 40C23E]; Parent Process ID into EAX
004A5C57 3947 08 CMP DWORD PTR DS: [EDI 8], EAX
004A5C5A 0F85 A0000000 JNZ 004A5D00; if not the parent process ID, continue
004A5C60 BA 00000000 MOV EDX, 0
004A5C65 33C9 XOR ECX, ECX
004A5C67 8D47 24 LEA EAX, DWORD PTR DS: [EDI 24]; get the process name of the parent process
004A5C6A 8A0401 MOV Al, Byte PTR DS: [ECX EAX]; take out every bit of the parent process
004A5C6D 0ac0 or Al, Al
004A5C6F 75 02 JNZ Short 004A5C73; Jumping if not finished
004A5C71 EB 1C JMP Short 004a5c8f
004a5c73 24 0f and al, 0f
004A5C75 8D9D 2EC24000 LEA EBX, DWORD PTR SS: [EBP 40C22E]
004A5C7B D7 XLAT BYTE PTR DS: [EBX Al]; Checklist 004A5C7C 328429 C2BC4000 XOR AL, BYTE PTR DS: [ECX EBP 40BCC2]; Check the value of the table and the value of your own process name
004A5C83 0ac0 or Al, Al; one of them
004a5c85 74 05 Je Short 004A5C8C; if you are equal
004A5C87 BA 01000000 MOV EDX, 1; Different EDX set to 1
004A5C8C 41 INC ECX
004A5C8D ^ EB D8 JMP Short 004a5c67
004A5C8F 83FA 01 CMP EDX, 1; Compare If not the same, do not jump
004A5C92 75 6C JNZ Short 004a5d00; If you use OD to debug a child process, you must jump here, otherwise you will not jump to the correct OEP.
......
004A5CAA BE 9A7C4000 MOV ESI, 00407C9A
004A5cc9 81ee FF000000 SUB ESI, 0FF
004a5ccf 03f5 Add ESI, EBP
......
004A5CE7 C706 E77D4000 MOV DWORD PTR DS: [ESI], 00407DE7; This kind of sentence doesn't know what it means :-(
004A5CED 83C6 1F Add ESI, 1F
004A5CF0 8906 MOV DWORD PTR DS: [ESI], EAX
004A5CF2 FFB5 FFC24000 PUSH DWORD PTR SS: [EBP 40C2FF]; / HOBJECT = 0000001C
004A5CF8 FF95 4DBC4000 Call DWORD PTR SS: [EBP 40BC4D]; / CloseHandle
004A5CFE EB 15 JMP Short 004a5d15
004A5D00 57 Push EDI; / PPROCESSENTRY = Explorer.004AA303
004A5D01 FFB5 FBC24000 PUSH DWORD PTR SS: [EBP 40C2FB]; | hsnapshot = 00000010
004A5D07 FF95 15BC4000 Call DWORD PTR SS: [EBP 40BC15]; / Process32Next
004A5D0D 0BC0 or EAX, EAX
004A5D0F ^ 0F85 3cfffffffff jnz 004a5c51; Continue if there is no enumeration
......
004A5D2F FFB5 FBC24000 PUSH DWORD PTR SS: [EBP 40C2FB]; / HOBJECT = 00000010004A5D5E FF95 4DBC4000 Call Dword PTR SS: [EBP 40BC4D]; / CloseHandle Close Object
To this case
Anti-Debug
It is over.
......
004A5D7A FF95 99BB4000 CALL DWORD PTR SS: [EBP 40BB99]; Get the command line
004A5D80 50 Push EAX
004A5D81 90 NOP
004A5D82 90 NOP
......
004A5DAD 5A POP EDX; 00141EE0
004A5DAE 8BF2 MOV ESI, EDX
004a5db0 90 NOP
......
004A5DC6 803E 58 CMP BYTE PTR DS: [ESI], 58; Compare the command line first character is "X", debug logo
004A5DC9 75 2e Jnz Short 004a5df9; not jumping
......
004A5DF7 / EB 6B JMP Short 004a5E64; if it is a child process, jump to the neck portion
......
004A5E0F 90 NOP
004A5E10 90 NOP; Prepare the full path name of the program
004A5E11 90 NOP
004A5E12 90 NOP
004A5E13 68 00010000 PUSH 100; / bufsize = 100 (256.)
004A5E18 8D85 C2BC4000 LEA EAX, DWORD PTR SS: [EBP 40BCC2];
004A5E1E 50 Push Eax; | PathBuffer = Explorer.004A9CC2
004a5e1f 6a 00 push 0; | hmodule = null
004A5E21 FF95 37BB4000 CALL DWORD PTR SS: [EBP 40BB37]; / GETMODULEFILENAMEA
004A5E27 90 NOP
......
004A5E3A 8D85 C2BC4000 LEA EAX, DWORD PTR SS: [EBP 40BCC2]
004A5E40 50 Push Eax; Get the full path of the program
004A5E41 E8 1196FFFF CALL 0049F457; Here, follow-up is the shell application (debug process) to see:
0049F457 55 Push EBP; CreateProcess section
0049f458 8bec MOV EBP, ESP
0049f45a 60 pushad
0049F45B 8B7D 08 MOV EDI, DWORD PTR SS: [EBP 8]; program full path storage address into EDI
0049F45E E8 00000000 Call 0049F463
0049F463 5B POP EBX
0049F464 81EB 63144000 SUB EBX, 00401463; Get a relocation address
0049F46A B8 44000000 MOV EAX, 44; Prepare to apply for memory space
0049F46F 50 Push Eax; / Length = 44 (68.)
0049F470 8D83 42C24000 LEA EAX, DWORD PTR DS: [EBX 40C242];
0049F476 50 push eax; | destination = Explorer.004AA242
0049F477 FF93 D3BB4000 CALL DWORD PTR DS: [EBX 40BBD3]; / RTLZEROMEMORY
0049F47D B8 10000000 MOV EAX, 10
0049F482 50 Push Eax; / Length = 10 (16.)
0049F483 8D83 86C24000 LEA EAX, DWORD PTR DS: [EBX 40C286]; | |
0049f489 50 push eax; | destination = Explorer.004AA286
0049F48A FF93 D3BB4000 CALL DWORD PTR DS: [EBX 40BBD3]; / RTLZEROMEMORY
0049F490 B8 44000000 MOV EAX, 44; Preparing for CreateProcessa Debugging Subscription
0049F495 8983 42C24000 MOV DWORD PTR DS: [EBX 40C242], EAX
0049F49B 8D83 86C24000 LEA EAX, DWORD PTR DS: [EBX 40C286]
0049F4A1 50 Push Eax; / PProcessinfo = Explorer.004AA286
0049F4A2 8D83 42C24000 LEA EAX, DWORD PTR DS: [EBX 40C242]; | 0049F4A8 50 Push Eax; | PStartupinfo = Explorer.004AA242
0049F4A9 6A 00 Push 0; | Currentdir = NULL
0049F4AB 6A 00 Push 0; | Penvironment = NULL
0049F4AD B8 01000000 MOV Eax, 1; |
0049f4b2 83c8 02 or Eax, 2;
0049f4b5 50 push eax; | creeionflags = debug_process | debug_only_this_process
0049f4b6 6a 00 push 0; | inherithandles = false
0049f4b8 6a 00 push 0; | pthreadsecurity = null
0049f4ba 6a 00 push 0; | pprocesssecurity = null
0049F4BC 8D83 C2BD4000 LEA EAX, DWORD PTR DS: [EBX 40BDC2];
0049F4C2 50 Push Eax; | CommandLine = "x"
0049F4C3 57 Push EDI; | ModuleFileName = "D: /Explorer.exe"
0049F4C4 FF93 59BB4000 Call DWORD PTR DS: [EBX 40BB59]; / CREATEPROCESSA
0049F4CA 83F8 01 CMP EAX, 1
0049F4CD 0F85 87010000 JNZ 0049F65A; Exit the program if the process fails
0049F4D3 8DBB 64C54000 Lea EDI, DWORD PTR DS: [EBX 40C564]
0049F4D9 C707 07000100 MOV DWORD PTR DS: [EDI], 10007
0049F4DF 810F 10000100 or DWORD PTR DS: [EDI], 10010
0049F4E5 8D83 96C24000 Lea Eax, DWORD PTR DS: [EBX 40C296]
0049f4eb 68 A00F0000 PUSH 0FA0; / TIMEOUT = 4000. MS0049F4F0 50 Push Eax; | PDEBUGEVENT = Explorer.004AA296
0049F4F1 FF93 6FBB4000 Call DWORD PTR DS: [EBX 40BB6F]; / WAITFORDEBUGEVENT
0049f4f7 83f8 01 CMP EAX, 1
0049F4FA 0F85 55010000 JNZ 0049f655; if Eax == false jumps next
0049F500 8D93 96C24000 LEA EDX, DWORD PTR DS: [EBX 40C296]; Debugevent
0049F506 8DB3 86C24000 LEA ESI, DWORD PTR DS: [EBX 40C286]; PI
0049F50C 833A 03 CMP DWORD PTR DS: [EDX], 3; CREATE_PROCESS_DEBUG_EVENT
0049F50F 75 16 JNZ short 0049f527; if the debug action is not crete_process_debug_event, then jump
0049f511 68 02000100 Push 10002; / Continuestus = DBG_CONTINUE
0049f516 FF72 08 Push DWORD PTR DS: [EDX 8]; | ThreadId = 214
0049F519 FF72 04 Push DWORD PTR DS: [EDX 4]; | Processid = 57C
0049F51C FF93 86BB4000 Call DWORD PTR DS: [EBX 40BB86]; / ContinueDebugevent
0049f522 E9 2E010000 JMP 0049F655
0049F527 833A 01 CMP DWORD PTR DS: [EDX], 1; Judgment Do not have an abnormal exception_debug_event
0049F52A 0F85 0B010000 JNZ 0049F63B; if not, jump
0049F530 817A 0C 0300008> CMP DWORD PTR DS: [EDX C], 80000003; Judging whether it is an int3 breakpoint exception, if not, jump to continue
0049f537 0F85 EB000000 JNZ 0049F628
0049F53D 83BB F7C24000 0> CMP DWORD PTR DS: [EBX 40C2F7], 0; judgment whether or not the debug entry is abnormal
0049F544 75 1C JNZ Short 0049f562; That is to say, the first breakpoint of the shell is abnormally inlet breakpoint, ignore 0049F546 FF83 F7C24000 Inc DWORD PTR DS: [EBX 40C2F7]; Debug STEP 1
0049F54C 68 02000100 Push 10002; / Continuesttus = DBG_CONTINUE
0049F551 FF72 08 Push DWORD PTR DS: [EDX 8]; | ThreadId = 214
0049f554 FF72 04 Push DWORD PTR DS: [EDX 4]; | Processid = 57C
0049F557 FF93 86BB4000 Call DWORD PTR DS: [EBX 40BB86]; / Continuedebugevent
0049F55D E9 F3000000 JMP 0049F655; jump to ContinueDebugevent
0049F562 83BB F7C24000 0> CMP DWORD PTR DS: [EBX 40C2F7], 1; Second INT3 abnormal
0049f569 0F85 A6000000 JNZ 0049F615
0049F56F 52 Push EDX
0049F570 FF83 F7C24000 Inc DWORD PTR DS: [EBX 40C2F7]; Debug Step 1
0049F576 8DBB 64C54000 Lea EDI, DWORD PTR DS: [EBX 40C564]
0049F57C 57 Push EDI; / PCONText = Explorer.004AA564
0049F57D FF76 04 Push DWORD PTR DS: [ESI 4]; | HTHREAD = 00000038 (Window)
0049F580 FF93 78BC4000 Call DWORD PTR DS: [EBX 40BC78]; / GetThreadContext
0049F586 8B8F B8000000 MOV ECX, DWORD PTR DS: [EDI B8]; Get an abnormal address (4A7781)
0049F58C 51 PUSH ECX
0049F58D 6A 00 Push 0; / pbytesread = null
0049f58f 6a 01 push 1; | bytestoread = 1
0049F591 8D83 F6C24000 Lea Eax, DWORD PTR DS: [EBX 40C2F6]; |
0049f597 50 push eax; | buffer = Explorer.004aa2f60049f598 51 push ECX; | PBaseAddress = 4A7781
0049f599 FF36 Push DWORD PTR DS: [ESI]; HProcess = 00000034
0049F59B FF93 63BC4000 Call DWORD PTR DS: [EBX 40BC63]; / ReadProcessMemory
0049F5A1 59 POP ECX
0049F5A2 8D83 F6C24000 Lea Eax, DWORD PTR DS: [EBX 40C2F6]
0049F5A8 8A00 MOV Al, Byte Ptr DS: [EAX]
0049F5AA 34 52 XOR Al, 52
0049F5AC 8883 F6C24000 MOV BYTE PTR DS: [EBX 40C2F6], Al
0049f5b2 51 Push ECX
0049f5b3 6a 00 push 0; / pbyteswritten = NULL
0049F5B5 6A 01 Push 1; | Bytestowrite = 1
0049F5B7 8D83 F6C24000 Lea Eax, DWORD PTR DS: [EBX 40C2F6]; |
0049F5BD 50 Push Eax; | buffer = Explorer.004AA2F6
0049f5be 51 push ecx; | address = 4A7781
0049F5BF FF36 Push DWORD PTR DS: [ESI]; HProcess = 00000034
0049F5C1 FF93 A4BC4000 Call DWORD PTR DS: [EBX 40BCA4]; / WriteProcessMemory
0049F5C7 59 POP ECX
0049F5C8 8D83 04BA4000 LEA EAX, DWORD PTR DS: [EBX 40BA04]; End Address 4A9A04
0049F5CE 41 Inc ECX
0049F5CF 3BC8 CMP ECX, EAX
0049f5d1 75 02 jnz short 0049f5d5; judgment has no end, no end, jump back to continue
0049f5d3 EB 02 JMP Short 0049F5D7
0049f5d5 ^ EB B5 JMP Short 0049F58C
0049f5d7 51 Push ECX
0049F5D8 8B87 B8000000 MOV EAX, DWORD PTR DS: [EDI B8]
0049F5DE 8987 B8000000 MOV DWORD PTR DS: [EDI B8], EAX
0049F5E4 57 Push EDI; / PCONTEXT = Explorer.004AA564
0049F5E5 FF76 04 Push DWORD PTR DS: [ESI 4]; | hthread = 00000038 (Window)
0049F5E8 FF93 8DBC4000 Call DWORD PTR DS: [EBX 40BC8D]; / SETTHREADCONTEXT
0049f5ee 8b87 b8000000 MOV EAX, DWORD PTR DS: [EDI B8]
0049F5F4 59 POP ECX
0049F5F5 2BC8 SUB ECX, EAX
0049f5f7 51 push ECX; / regionsize = 2283
0049F5F8 50 Push Eax; | RegionBase = Explorer.004A7781
0049F5F9 FF36 Push DWORD PTR DS: [ESI]; HProcess = 00000034
0049f5fb ff93 bebc4000 Call DWORD PTR DS: [EBX 40BCBE]; / FlushinstructionCache
0049f601 5A POP EDX
0049F602 68 02000100 Push 10002; / Continuesttus = DBG_CONTINUE
0049F607 FF72 08 Push DWORD PTR DS: [EDX 8]; | threadid = 214
0049F60A FF72 04 Push DWORD PTR DS: [EDX 4]; | Processid = 57C
0049F60D FF93 86BB4000 Call DWORD PTR DS: [EBX 40BB86]; / ContinueDebugevent
0049f613 EB 40 JMP Short 0049F655
0049F615 68 01000180 Push 80010001; / DBG_EXCEPTION_NOT_HANDLED
0049F61A FF72 08 Push DWORD PTR DS: [EDX 8]; | DWTHREADID
0049F61D FF72 04 PUSH DWORD PTR DS: [EDX 4]; | dwprocessid0049f620 FF93 86BB4000 Call DWORD PTR DS: [EBX 40BB86]; / Continuedebugevent
0049f626 EB 2D JMP Short 0049F655
0049F628 68 01000180 PUSH 80010001; / DBG_EXCEPTION_NOT_HANDLED
0049f62D ff72 08 Push DWORD PTR DS: [EDX 8]; | DWTHREADID
0049F630 FF72 04 Push DWORD PTR DS: [EDX 4]; | DWPROCESSID
0049F633 FF93 86BB4000 Call DWORD PTR DS: [EBX 40BB86]; / ContinueDebugevent
0049f639 EB 1A JMP Short 0049F655
0049F63B 833A 05 CMP DWORD PTR DS: [EDX], 5
0049f63e 75 04 jnz short 0049f644
0049f640 EB 18 JMP Short 0049F65A
0049f642 EB 11 JMP Short 0049F655
0049f644 68 02000100 Push 10002; / Continuesttus = DBG_CONTINUE
0049F649 FF72 08 Push DWORD PTR DS: [EDX 8]; | DWTHREADID
0049F64C FF72 04 Push DWORD PTR DS: [EDX 4]; | DWPROCESSID
0049F64F FF93 86BB4000 Call DWORD PTR DS: [EBX 40BB86]; / ContinueDebugevent
0049f655 ^ E9 8bfeffff jmp 0049f4e5
0049F65A 61 POPAD
0049F65B C9 Leave
0049F65C C2 0400 RETN 4
004A5E5B 90 NOP; debugging the end of the program
004A5E5C 6A 00 Push 0; / EXIT code = 0
004A5E5E FF95 47BB4000 Call DWORD PTR SS: [EBP 40BB47]; / EXIXTPROCESS
Here we can summarize it.
:
Shell only uses one
Anti-Debug,
Then pass the debug logo
'X'
Judging whether it is a child process. Shell only processes
Int3
Abnormal, abnormal
4A7781
Until
4A9A04
Code
XOR 52
Restore the correct code.
Now write a piece of script to be used directly to jump as a single process:
Var Addr
Start:
GPA "getProcaddress", "kernel32.dll"
BP $ Result
LBL1:
Run
LBL2:
MOV Addr, ESP
Add Addr, 8
Mov Addr, [AddR]
Mov Addr, [AddR]
CMP Addr, 73756C46
JNE LBL1
BC $ RESULT
RTU
LBL3:
MOV Addr, EIP
Add Addr, 6
ASM Addr, "JMP 004A5D7A"
STO
STO
Mov [addr], # e803000000 #
STO
Mov [EAX], # 58 #
Run
RET
Recomver, and run the script above, then here:
004A5E7A E8 1E98FFF Call 0049f69d ;; Initialization CRC32 table
Follow up:
0049f69d 60 pushad
0049F69E E8 00000000 Call 0049F6A3
0049F6A3 5B POP EBX
0049F6A4 81EB A3164000 SUB EBX, 004016A3; Calculation Retraction Value
0049F6AA B9 00010000 MOV ECX, 100
0049F6AF BA 2083B8ED MOV EDX, EDB88320
0049F6B4 8D41 FF Lea Eax, DWORD PTR DS: [ECX-1]
0049f6b7 51 Push ECX
0049F6B8 B9 08000000 MOV ECX, 8
0049F6BD D1E8 SHR EAX, 1
0049f6bf 73 02 JNB Short 0049F6C3
0049F6C1 33C2 XOR EAX, EDX
0049F6C3 49 DEC ECX
0049F6C4 ^ 75 F7 JNZ Short 0049F6BD
0049F6C6 59 POP ECX
0049F6C7 8DBB FABD4000 Lea EDI, DWORD PTR DS: [EBX 40BDFA]
0049F6CD 89448F FC MOV DWORD PTR DS: [EDI ECX * 4-4], EAX 0049F6D1 49 DEC ECX
0049f6d2 ^ 75 E0 JNZ Short 0049F6B4
0049F6D4 61 POPAD
0049f6d5 C3 RETN
......
004A5E99 E8 00000000 Call 004A5E9E
004A5E9E 90 NOP
004A5E9F 90 NOP
004A5EA0 90 NOP
004A5EA1 90 NOP
004A5EA2 59 POP ECX
004A5EA3 81E9 9E7E4000 SUB ECX, 00407E9E
004A5EA9 BB 0B174000 MOV EBX, 0040170B
004A5EAE 03D9 Add EBX, ECX; calculates the EP of the shell
004A5EB0 B9 93670000 MOV ECX, 6793
004A5EB5 E8 1C98FFFF CALL 0049F6D6; here to calculate the CRC value
004A5EBA 8985 2AC24000 MOV DWORD PTR SS: [EBP 40C22A], EAX; CRC value is saved to [4AA22A
......
004a5f1c 6a 00 push 0; / phModule = 0
004A5F1E FF95 C0BA4000 Call DWORD PTR SS: [EBP 40BAC0]; / GETMODULEHANDLEA
004A5F24 8985 DEBD4000 MOV DWORD PTR SS: [EBP 40BDDE], EAX; PHMODULE Save to [004A9DDE]
004A5F2A 8B58 3C MOV EBX, DWORD PTR DS: [EAX 3C]; positioning PE header
004A5F2D 039D DEBD4000 Add EBX, DWORD PTR SS: [EBP 40BDDE]
004A5F33 899D E2BD4000 MOV DWORD PTR SS: [EBP 40BDE2], EBX
004A5F39 8B85 E2BD4000 MOV EAX, DWORD PTR SS: [EBP 40BDE2]
004A5F3F 05 F8000000 Add Eax, 0F8
004A5F44 8985 E6BD4000 MOV DWORD PTR SS: [EBP 40BDE6], EAX; Location Section Name
004A5F4A 8B58 0C MOV EBX, DWORD PTR DS: [EAX C]; section Voffset = 1000
004A5F4D 039D DEBD4000 Add EBX, DWORD PTR SS: [EBP 40BDDE]
004A5F53 899D EABD4000 MOV DWORD PTR SS: [EBP 40BDEA], EBX
004A5F59 8B58 08 MOV EBX, DWORD PTR DS: [EAX 8]; vsize = 73000
004A5F5C 899D EEBD4000 MOV DWORD PTR SS: [EBP 40BDEE], EBX
004A5F62 8B58 10 MOV EBX, DWORD PTR DS: [EAX 10]; rsize = 31C00
004A5F65 899D F2BD4000 MOV DWORD PTR SS: [EBP 40BDF2], EBX; Preparation Space
004A5F6B FFB5 EEBD4000 PUSH DWORD PTR SS: [EBP 40BDEE]; / MEMSIZE = 73000 (PUSH VISZE) 004A5F71 6A 40 Push 40; | Flags = GPTR
004A5F73 FF95 F4BA4000 Call DWORD PTR SS: [EBP 40BAF4]; / GLOBALLOC
004A5F79 0BC0 or Eax, EAX
004A5F7B 75 05 JNZ Short 004a5f82; if the distribution is successful, jump
004A5F7D E9 2C3B0000 JMP 004a9aa
004A5F82 8BF8 MOV EDI, EAX; MOV EDI, HMEM
......
004A5FC3 8B85 EABD4000 MOV EAX, DWORD PTR SS: [EBP 40BDEA]
004A5FC9 57 Push EDI; / HMEM = 00142AB8
004A5FCA 50 Push Eax; | uzip address = 401000
004A5FCB E8 353A0000 Call 004a9A05; / APLIB_UNPACK
004A5FD0 58 POP EAX
004A5FD1 5F POP EDI
......
004A6032 FC CLD
004A6033 8B8D EEBD4000 MOV ECX, DWORD PTR SS: [EBP 40BDEE]
004A6039 8BF7 MOV ESI, EDI
004A603B 8BBD EABD4000 MOV EDI, DWORD PTR SS: [EBP 40BDEA]
004A6041 F3: A4 Rep Movs Byte PTR ES: [EDI], BYTE PTR DS: [>; Restore Code
......
004A60F4 FFB5 F6BD4000 PUSH DWORD PTR SS: [EBP 40BDF6]; Reliator 9e000
004A60FA FFB5 DEBD4000 PUSH DWORD PTR SS: [EBP 40BDDE]; ImageBase
004A6100 E8 EF92FFFF CALL 0049F3F4; here is the input table reduction
0049f3f4 55 Push EBP
0049f3f5 8bec MOV EBP, ESP
0049F3F7 83C4 F8 Add ESP, -8
0049f3fa 60 pushad0049f3fb 8b45 08 MOV Eax, DWORD PTR SS: [EBP 8]
0049F3FE 8B50 3C MOV EDX, DWORD PTR DS: [EAX 3C]; Positioning PE header
0049F401 03C2 Add Eax, EDX
0049F403 8B90 80000000 MOV EDX, DWORD PTR DS: [EAX 80]; Positioning input table
0049F409 0355 08 Add EDX, DWORD PTR SS: [EBP 8]
0049F40C 8BFA MOV EDI, EDX
0049F40E 8B5F 0C MOV EBX, DWORD PTR DS: [EDI C]
0049F411 83FB 00 CMP EBX, 0
0049F414 74 3C JE SHORT 0049F452; If the input table is processed, jump to the end
0049F416 035D 08 Add EBX, DWORD PTR SS: [EBP 8]
0049F419 895D FC MOV DWORD PTR SS: [EBP-4], EBX
0049F41C 8B1F MOV EBX, DWORD PTR DS: [EDI]
0049f41e 035d 08 Add EBX, DWORD PTR SS: [EBP 8]
0049F421 895D F8 MOV DWORD PTR SS: [EBP-8], EBX
0049f424 33c9 xor ECX, ECX
0049F426 8B048B MOV EAX, DWORD PTR DS: [EBX ECX * 4]
0049F429 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049F42C 3B5D 08 CMP EBX, DWORD PTR SS: [EBP 8]
0049F42F 74 03 Je Short 0049F434
0049F431 89048B MOV DWORD PTR DS: [EBX ECX * 4], EAX
0049F434 8B5D FC MOV EBX, DWORD PTR SS: [EBP-4]
0049F437 8B45 0C MOV EAX, DWORD PTR SS: [EBP C]
0049F43A 05 BA124000 Add Eax, 004012BA
0049F43F 89048B MOV DWORD PTR DS: [EBX ECX * 4], EAX
0049f442 41 Inc ECX
0049F443 8B048B MOV EAX, DWORD PTR DS: [EBX ECX * 4]
0049F446 83F8 00 CMP EAX, 0
0049F449 74 02 JE SHORT 0049F44D; If the current DLL process is complete, jump to the treatment next DLL related API0049F44B ^ EB D9 JMP short 0049f426; loop back to restore input table
0049F44D 83C7 14 Add EDI, 14
0049F450 ^ EB BC JMP Short 0049F40E
0049F452 61 POPAD
0049F453 C9 Leave
0049F454 C2 0800 RETN 8
......
004A61B9 FFB5 F6BD4000 PUSH DWORD PTR SS: [EBP 40BDF6]; Reliator
004A61BF FFB5 DEBD4000 PUSH DWORD PTR SS: [EBP 40BDDE]; HMODULE
004A61C5 E8 9594FFFF CALL 0049F65F; here is load all librage
0049F65F 55 Push EBP
0049f660 8bec MOV EBP, ESP
0049f662 60 pushad
0049F663 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]
0049F666 8B50 3C MOV EDX, DWORD PTR DS: [EAX 3C]; Positioning PE header
0049f669 03c2 Add Eax, EDX
0049f66b 8b90 80000000 MOV EDX, DWORD PTR DS: [EAX 80]; Positioning input table
0049f671 0355 08 Add Edx, DWORD PTR SS: [EBP 8]
0049F674 8BFA MOV EDI, EDX
0049F676 8B5F 0C MOV EBX, DWORD PTR DS: [EDI C]
0049F679 83FB 00 CMP EBX, 0
0049F67C 74 1A JE SHORT 0049F698; if all DLL load is complete, jump to the end
0049f67e 035d 08 Add EBX, DWORD PTR SS: [EBP 8]
0049F681 8B5F 10 MOV EBX, DWORD PTR DS: [EDI 10]
0049F684 035D 08 Add EBX, DWORD PTR SS: [EBP 8]; get the name of the DLL
0049F687 8BF3 MOV ESI, EBX
0049f689 56 Push ESI; / PUSH FILENAME0049F68A 8B5D 0C MOV EBX, DWORD PTR SS: [EBP C];
0049F68D FF93 D1BA4000 Call DWORD PTR DS: [EBX 40BAD1]; / LOADLIBRARYA
0049F693 83C7 14 Add EDI, 14
0049f696 ^ EB DE JMP short 0049f676; jump to remove a DLL name
0049f698 61 POPAD
0049f699 C9 Leave
0049F69A C2 0800 RETN 8
......
004A7780 CC INT3; again, it is abnormal, remember the code we save above?
Yes, put the code from 4A7781 to 4A9A04 to restore correctly.
004A7781 33C9 XOR ECX, ECX
004A7783 8B9D FEC14000 MOV EBX, DWORD PTR SS: [EBP 40C1FE]; Restore API address [4AA1FE] = 004AAA00
004A7789 EB 15 JMP Short 004a77a0
004A778B FF348B PUSH DWORD PTR DS: [EBX ECX * 4]; 471CEC
004A778E FFB5 F6BD4000 PUSH DWORD PTR SS: [EBP 40BDF6]; Relo = 9e000
004A7794 FFB5 DEBD4000 PUSH DWORD PTR SS: [EBP 40BDDE]; pe header = 400000
004A779A E8 DE78FFFFF CALL 0049F07D; Fill API Function
0049F07D 55 Push EBP
0049f07e 8bec MOV EBP, ESP
0049f080 83c4 EC Add ESP, -14
0049f083 60 pushad
0049F084 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]
0049F087 8B50 3C MOV EDX, DWORD PTR DS: [EAX 3C]
0049F08A 03C2 Add Eax, EDX
0049f08c 8b90 80000000 MOV EDX, DWORD PTR DS: [EAX 80]
0049f092 0355 08 Add Edx, DWORD PTR SS: [EBP 8]
0049f095 8955 FC MOV DWORD PTR SS: [EBP-4], EDX0049F098 8BFA MOV EDI, EDX
0049F09A 8B5F 10 MOV EBX, DWORD PTR DS: [EDI 10]
0049F09D 83FB 00 CMP EBX, 0
0049F0A0 0F84 09010000 JE 0049F1AF; if the input table processing is completed
0049f0A6 035D 08 Add EBX, DWORD PTR SS: [EBP 8]
0049F0A9 895D F0 MOV DWORD PTR SS: [EBP-10], EBX
0049F0AC FF75 F0 Push DWORD PTR SS: [EBP-10]; Push DLL NAME
0049F0AF 8B5D 0C MOV EBX, DWORD PTR SS: [EBP C]
0049F0B2 FF93 C0BA4000 Call DWORD PTR DS: [EBX 40BAC0]; getModuleHandlea Gets the handle of the DLL
0049F0B8 8BD0 MOV EDX, EAX
0049F0BA 8B5F 0C MOV EBX, DWORD PTR DS: [EDI C]
0049f0bd 035d 08 Add EBX, DWORD PTR SS: [EBP 8]
0049F0C0 895D F8 MOV DWORD PTR SS: [EBP-8], EBX
0049F0C3 8B1F MOV EBX, DWORD PTR DS: [EDI]; Ofirstthunk
0049F0C5 83FB 00 CMP EBX, 0
0049F0C8 0F84 8B000000 JE 0049F159; if OriginalFirstthunk jumps for air
0049F0CE 035D 08 Add EBX, DWORD PTR SS: [EBP 8]
0049F0D1 895D F4 MOV DWORD PTR SS: [EBP-C], EBX
0049f0d4 33c9 xor ECX, ECX
0049f0D6 8B75 F4 MOV ESI, DWORD PTR SS: [EBP-C]
0049F0D9 8B048E MOV EAX, DWORD PTR DS: [ESI ECX * 4]
0049F0DC 83F8 00 CMP EAX, 0
0049f0DF 0F84 C2000000 JE 0049F1A7; Compare the current DLL API function has been processed
0049f0e5 25 00000080 and Eax, 80000000
0049F0EA 83F8 00 CMP EAX, 0
0049f0ed 74 32 JE SHORT 0049F121; Judgment is the serial number method, if it is the name of the name, 啵 0049f0ef 8B048E MOV EAX, DWORD PTR DS: [ESI ECX * 4]
0049f0f2 25 ffffff7f and eax, 7fffffffF
0049F0F7 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049F0FA 8D1C8B Lea EBX, DWORD PTR DS: [EBX ECX * 4]
0049F0FD 3B5D 10 CMP EBX, DWORD PTR SS: [EBP 10]
0049f100 75 1C jnz short 0049f11e
0049f102 51 Push ECX
0049f103 52 Push EDX
0049f104 50 Push EAX
0049f105 52 Push EDX
0049F106 8B5D 0C MOV EBX, DWORD PTR SS: [EBP C]
0049F109 FF93 E4BA4000 Call DWORD PTR DS: [EBX 40BAE4]
0049F10F 5A POP EDX
0049f110 59 POP ECX
0049F111 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049F114 8D1C8B Lea EBX, DWORD PTR DS: [EBX ECX * 4]
0049f117 8903 MOV DWORD PTR DS: [EBX], EAX
0049f119 E9 91000000 JMP 0049F1AF
0049f11e 41 Inc ECX
0049f11f ^ EB B5 JMP Short 0049F0D6
0049F121 8B75 F4 MOV ESI, DWORD PTR SS: [EBP-C]; OriginalFirstthunk
0049F124 8B048E MOV EAX, DWORD PTR DS: [ESI ECX * 4]
0049F127 83F8 00 CMP EAX, 0
0049F12A 74 7B JE SHORT 0049F1A7
0049F12C 0345 08 Add Eax, DWORD PTR SS: [EBP 8]
0049F12F 83c0 02 Add Eax, 2
0049F132 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049f135 8D1C8B Lea EBX, DWORD PTR DS: [EBX ECX * 4]
0049f138 3B5D 10 CMP EBX, DWORD PTR SS: [EBP 10] 0049F13B 75 19 JNZ Short 0049f156
0049F13D 51 PUSH ECX
0049f13e 52 Push EDX
0049f13f 50 push eax; / procnameorordinal
0049f140 52 Push EDX; | HMODULE
0049F141 8B5D 0C MOV EBX, DWORD PTR SS: [EBP C];
0049F144 FF93 E4BA4000 Call DWORD PTR DS: [EBX 40BAE4]; / GETPROCADDRESS
0049F14A 5A POP EDX
0049F14B 59 POP ECX
0049F14C 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049F14F 8D1C8B LEA EBX, DWORD PTR DS: [EBX ECX * 4]
0049F152 8903 MOV DWORD PTR DS: [EBX], EAX
0049f154 EB 59 JMP Short 0049F1AF
0049f156 41 Inc ECX
0049f157 ^ EB C8 JMP short 0049f121
0049f159 33c9 xor ECX, ECX
0049F15B 8B5F 24 MOV EBX, DWORD PTR DS: [EDI 24]
0049f15e 035d 08 Add EBX, DWORD PTR SS: [EBP 8]
0049f161 895D EC MOV DWORD PTR SS: [EBP-14], EBX
0049F164 8B75 F0 MOV ESI, DWORD PTR SS: [EBP-10]
0049F167 803E 00 CMP BYTE PTR DS: [ESI], 0
0049F16A 74 03 JE SHORT 0049F16F
0049f16c 46 Inc ESI
0049f16d ^ EB F8 JMP Short 0049F167
0049f16f 46 Inc ESI
0049F170 3B75 EC CMP ESI, DWORD PTR SS: [EBP-14]
0049f173 74 32 Je Short 0049F1A7
0049f175 803e 00 CMP BYTE PTR DS: [ESI], 0
0049f178 ^ 74 F5 Je Short 0049F16F
0049F17A 837E 01 00 CMP DWORD PTR DS: [ESI 1], 00049F17E 74 2F JE SHORT 0049F1AF
0049F180 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049F183 8D1C8B LEA EBX, DWORD PTR DS: [EBX ECX * 4]
0049F186 3B5D 10 CMP EBX, DWORD PTR SS: [EBP 10]
0049F189 75 19 JNZ Short 0049F1A4
0049f18b 51 Push ECX
0049f18c 52 Push EDX
0049F18D 56 Push ESI
0049f18e 52 Push EDX
0049F18F 8B5D 0C MOV EBX, DWORD PTR SS: [EBP C]
0049f192 FF93 E4BA4000 Call DWORD PTR DS: [EBX 40BAE4]
0049f198 5A POP EDX
0049f199 59 POP ECX
0049F19A 8B5D F8 MOV EBX, DWORD PTR SS: [EBP-8]
0049F19D 8D1C8B Lea EBX, DWORD PTR DS: [EBX ECX * 4]
0049f1a0 8903 MOV DWORD PTR DS: [EBX], EAX
0049f1a2 EB 0B JMP Short 0049F1AF
0049F1A4 41 Inc ECX
0049F1A5 ^ EB C0 JMP Short 0049f167
0049F1A7 83C7 14 Add EDI, 14
0049f1aa ^ E9 EBFEFFF JMP 0049F09A
0049F1AF 61 POPAD
0049f1b0 c9 Leave
0049f1b1 C2 0C00 RETN 0C
004A779F 41 Inc ECX
004A77A0 3B8D FAC14000 CMP ECX, DWORD PTR SS: [EBP 40C1FA]
004A77A6 ^ 72 E3 JB SHORT 004A778B; cyclic processing input table
......
004A8303 8BC5 MOV EAX, EBP
004A8305 8B95 2AC24000 MOV EDX, DWORD PTR SS: [EBP 40C22A]; check value 2CD76EC4
004A830B 3395 02C24000 XOR EDX, DWORD PTR SS: [EBP 40C202]; If the previous change, the OEP address calculated by the program will be wrong.
004A8311 8995 02C24000 MOV DWORD PTR SS: [EBP 40C202], EDX; OEP Address Save To 4AA202 004A8317 5F Pop Edi
004A8318 5A POP EDX
004A8319 59 POP ECX
004A831A 5E POP ESI
004A831B 5B POP EBX
004A831C 5D POP EBP
004A831D 05 FA114000 Add Eax, 004011FA
004A8322 50 Push EAX
004A8323 64: FF35 0000000> Push DWORD PTR FS: [0]
004A832A 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP; Install Hook Installation SHE, (0049F1FA)
004A8331 2D FA114000 SUB EAX, 004011FA
004A8336 FFB0 02C24000 PUSH DWORD PTR DS: [EAX 40C202]; PUSH OEP
......
004A9A04 C3 RETN; finally go to the bright top :-)
Let's take a look at the processing of the API:
0049F2BA E8 00000000 Call 0049F2BF
0049F2BF 58 POP EAX
0049F2C0 2D BF124000 SUB EAX, 004012BF
0049F2C5 C780 22C24000 0> MOV DWORD PTR DS: [EAX 40C222], 0
0049F2CF 8B80 02C24000 MOV EAX, DWORD PTR DS: [EAX 40C202]; Program OEP Address into EAX
0049F2D5 8138 558BEC83 CMP DWORD PTR DS: [EAX], 83EC8B55; Judging whether it is a program for PUSH EBP MOV EBP, ESP Add ESP, XX
0049f2db 75 06 jnz short 0049f2e3; if not jumped
0049f2dd 58 POP EAX
0049F2DE 8B40 FC MOV EAX, DWORD PTR DS: [EAX-4]
0049f2e1 EB 7D JMP Short 0049F360
0049f2e3 8038 EB CMP BYTE PTR DS: [EAX], 0EB; Judging whether it is a BC program JMP xxxx
0049f2e6 75 06 jnz short 0049f2ee; if not jumped
0049f2e8 58 POP EAX
0049f2e9 8b40 FC MOV Eax, DWORD PTR DS: [EAX-4]; Get address to save the input table IAT
0049f2ec EB 72 JMP Short 0049F360; then jump to get an API function 0049f2ee 8b0424 MOV Eax, DWORD PTR SS: [ESP]
0049f2f1 817c24 04 00000> CMP DWORD PTR SS: [ESP 4], 80000000
0049f2f9 73 06 jnb short 0049f301
0049f2fb 334424 04 xor Eax, DWORD PTR SS: [ESP 4]
0049f2ff EB 08 JMP Short 0049F309
0049F301 8B0424 MOV EAX, DWORD PTR SS: [ESP]
0049F304 8B40 FC MOV EAX, DWORD PTR DS: [EAX-4]
0049F307 EB 57 JMP Short 0049F360
0049F309 3D 00001000 CMP EAX, 100000
0049f30e 73 06 JNB Short 0049F316
0049F310 58 POP EAX
0049F311 8B40 FC MOV EAX, DWORD PTR DS: [EAX-4]
0049F314 EB 4A JMP Short 0049F360
0049F316 3D 00000070 CMP EAX, 70000000
0049F31B 73 08 JNB Short 0049F325
0049F31D 8B0424 MOV EAX, DWORD PTR SS: [ESP]
0049F320 8B40 FC MOV EAX, DWORD PTR DS: [EAX-4]
0049F323 EB 3B JMP Short 0049F360
0049F325 813C24 00000070 CMP DWORD PTR SS: [ESP], 70000000
0049F32C 73 01 JNB Short 0049F32F
0049f32e 58 POP EAX
0049F32F E8 00000000 Call 0049F334
0049F334 58 POP EAX
0049F335 2D 34134000 SUB Eax, 00401334
0049F33A C780 22C24000 0> MOV DWORD PTR DS: [EAX 40C222], 1
0049F344 8B8424 E4000000 MOV EAX, DWORD PTR SS: [ESP E4]
0049F34B 3D 03000080 CMP EAX, 80000003
0049F350 0F85 98000000 JNZ 0049F3ee
0049F356 8B8424 F0000000 MOV EAX, DWORD PTR SS: [ESP F0]
0049F35D 8B40 02 MOV EAX, DWORD PTR DS: [EAX 2]
0049F360 60 Pushad; Next, IAT is prepared
0049F361 E8 00000000 Call 0049F3660049F366 5D POP EBP
0049F367 81ED 66134000 SUB EBP, 00401366; Calculation Relief Value
0049F36D 50 Push Eax; Push Iat Address
0049F36E FFB5 F6BD4000 Push DWORD PTR SS: [EBP 40BDF6]; PUSH RELO (9E000)
0049F374 FFB5 DEBD4000 PUSH DWORD PTR SS: [EBP 40BDDE]; Push HModule
0049F37A E8 Fefcffff Call 0049F07D; getProcAddress Get Pack API
0049F37F 61 POPAD
0049F380 52 Push EDX
0049f381 51 PUSH ECX
0049F382 E8 00000000 Call 0049F387
0049F387 5A POP EDX
0049f388 81ea 87134000 Sub EDX, 00401387
0049F38E 81C2 BA124000 Add EDX, 004012BA; calculation is still original
0049F394 8B08 MOV ECX, DWORD PTR DS: [EAX]; put the API function address in ECX
0049F396 8910 MOV DWORD PTR DS: [EAX], EDX; Remove the API function address after restoring "site"
0049F398 8BC1 MOV EAX, ECX
0049F39A 59 POP ECX
0049F39B 5A POP EDX
0049f39c 52 Push EDX
0049F39D E8 00000000 Call 0049F3A2
0049F3A2 5A POP EDX
0049F3A3 81EA A2134000 SUB EDX, 004013A2; Calculation Reloc
0049F3A9 83BA 22C24000 0> CMP DWORD PTR DS: [EDX 40C222], 0
0049F3B0 75 05 JNZ Short 0049F3B7
0049F3B2 5A POP EDX
0049f3b3 FFE0 JMP EAX; Jump to execute API functions
0049F3B5 EB 37 JMP Short 0049F3ee
0049F3B7 5A POP EDX
0049F3B8 8BBC24 F0000000 MOV EDI, DWORD PTR SS: [ESP F0]
0049F3BF 83C7 01 Add EDI, 10049F3C2 803F 3D CMP BYTE PTR DS: [EDI], 3D
0049F3C5 74 0B JE SHORT 0049F3D2
0049F3C7 8B7D 10 MOV EDI, DWORD PTR SS: [EBP 10]
0049F3CA 8987 A0000000 MOV DWORD PTR DS: [EDI A0], EAX
0049F3D0 EB 09 JMP Short 0049F3DB
0049F3D2 8B7D 10 MOV EDI, DWORD PTR SS: [EBP 10]
0049F3D5 8987 9C000000 MOV DWORD PTR DS: [EDI 9C], EAX
0049F3DB 8B8424 F0000000 MOV Eax, DWORD PTR SS: [ESP F0]
0049f3e2 83c0 06 Add Eax, 6
0049F3E5 8987 B8000000 MOV DWORD PTR DS: [EDI B8], EAX
0049f3eb 33c0 xor Eax, EAX
0049f3ed C3 RETN
After analyzing the processes of the API, write a block of repair:
00473601 60 pushad
00473602 B8 24EE4500 MOV EAX, 0045EE24; JMP to borlndmm.GetallocMemcount
00473607 66: 8138 FF15 CMP WORD PTR DS: [EAX], 15FF
0047360C 75 33 JNZ Short 00473641
0047360E 8B50 02 MOV EDX, DWORD PTR DS: [EAX 2]
00473611 81fa 00000008 CMP EDX, 8000000
00473617 73 28 JNB Short 00473641
00473619 81fa 00004000 CMP EDX, 00400000; ASCII "MZP"
0047361F 72 20 JB Short 00473641
00473621 813A BAF24900 CMP DWORD PTR DS: [EDX], 0049F2BA
00473627 75 15 Jnz Short 0047363E
00473629 52 Push EDX; Address to be saved
0047362A 68 00E00900 Push 9e000; Reliator
0047362F 68 00004000 push 00400000; ASCII "MZP"
00473634 E8 44BA0200 CALL 0049F07D; Filled API
00473639 66: C700 FF25 MOV WORD PTR DS: [EAX], 25FF0047363E 83C0 05 Add Eax, 5
00473641 40 Inc EAX
00473642 3D 58F74500 CMP EAX, 0045F758
00473647 ^ 72 be jb short 00473607
00473649 61 POPAD
0047364A ^ E9 EDDBF8FF JMP 0040123C
'----------------------------- binary code ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------
60 B8 24 EE 45 00 66 81 38 FF 15 75 33 8B 50 02 81 FA 00 00 00 00 00 00 00 72 20
81 3A Ba F2 49 00 75 15 52 68 00 E0 09 00 68 00 00 40 00 FF 25 83 C0 05
40 3D 58 F7 45 00 72 BE 61 E9 ED DB F8 FF
'------------------------------------------------ ----------------------------
After completing, write the OEP: 123c rva: 000710c8 size: 00000c74, with Lordpe Dump, finally repaired. OK!
This shell wanted to look at it last year, because the time is tight, so I have been dragging it to this year, she is fully understood, shell fully understands that the article has been used for a few days L.
Greetz:
Fly.jingulong, Yock, TDASM.David.hexer, Hmimys, Ahao.ufo (Brother) .aran (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG] [US]
Email: loveboom # 163.com
Date: 2005-02-25 12:24
